Joshua Bernstein wrote:
>> On May 29, 2008, at 3:10 PM, Prakash Velayutham wrote:
>>> Hi All,
>>>> This is not a Torque or Maui question, but I am very positive that
>> some of the bright guys here have this already setup in some form or
>> the other.
>>>> We have a PHP-based web application which has a compute portion which
>> we want to ship out to our compute cluster. Also, the PHP application
>> is secure, meaning, only authenticated users can submit jobs.
>>>> My question is, how can I make the submitted jobs run as the logged in
>> user and not the generic Apache user (wwwrun or www or somebody else
>> based on the distro)?
>> It should be fairly straight forward to have the PHP/Apache application
> construct a job script. When the PHP scripts goes to qsub the script,
> instead of just doing a system("qsub..."), You should perhaps fork() and
> then setuid() to the username of user running the job. TORQUE would
> therefore see the job being submitted as the user rather then the
> www-data, or whatever user the web server is running as. I could see an
> issue though where the web user might not be able to setuid() to another
> user. I'd hesitate to run the web server with setuid privileges... Hmmm,
> it is a start though.
I solved a similar problem by implementing a little daemon process which
runs as root (and so can su to whatever user you wish) and monitors a
spool directory to which the unprivileged user (such as wwwrun) has
write access. The unprivileged user's process writes a request file and
notifies the daemon (by making a connection to a TCP socket, another IPC
mechanism could be used, too).
You could also add wwwrun to sudoers, but that would be less secure.
Regards,
Jan Ploski